{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "aa69a8093ff985873cb44fe1157bd6db29a20fe4"
            },
            {
              "fixed": "1b72b834511d17f4d069d512f78671f3f210a2f1"
            },
            {
              "fixed": "f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec"
            },
            {
              "fixed": "e74c436f8568af1c60942469d0a2300b3ada3857"
            },
            {
              "fixed": "cea2a1257a3b5ea3e769a445b34af13e6aa5a123"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.29"
            },
            {
              "fixed": "6.12.75"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.16"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43250.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()\n\nThe ChipIdea UDC driver can encounter \"not page aligned sg buffer\"\nerrors when a USB device is reconnected after being disconnected\nduring an active transfer. This occurs because _ep_nuke() returns\nrequests to the gadget layer without properly unmapping DMA buffers\nor cleaning up scatter-gather bounce buffers.\n\nRoot cause:\nWhen a disconnect happens during a multi-segment DMA transfer, the\nrequest's num_mapped_sgs field and sgt.sgl pointer remain set with\nstale values. The request is returned to the gadget driver with status\n-ESHUTDOWN but still has active DMA state. If the gadget driver reuses\nthis request on reconnect without reinitializing it, the stale DMA\nstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zero\nnum_mapped_sgs) and attempt to use freed/invalid DMA addresses,\nleading to alignment errors and potential memory corruption.\n\nThe normal completion path via _hardware_dequeue() properly calls\nusb_gadget_unmap_request_by_dev() and sglist_do_debounce() before\nreturning the request. The _ep_nuke() path must do the same cleanup\nto ensure requests are returned in a clean, reusable state.\n\nFix:\nAdd DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror\nthe cleanup sequence in _hardware_dequeue():\n- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set\n- Call sglist_do_debounce() with copy=false if bounce buffer exists\n\nThis ensures that when requests are returned due to endpoint shutdown,\nthey don't retain stale DMA mappings. The 'false' parameter to\nsglist_do_debounce() prevents copying data back (appropriate for\nshutdown path where transfer was aborted).",
  "id": "CVE-2026-43250",
  "modified": "2026-07-08T05:39:01.953303835Z",
  "published": "2026-05-06T11:28:41.158Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43250.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43250"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()"
}